Versions Compared
Key
- This line was added.
- This line was removed.
- Formatting was changed.
📙 You will learn
How to install and run the ThreadFix Plugin for Burp Suite.
First StepsPrerequisites
Audience: IT Professional, or End User
Difficulty: Basic
Time needed: Approximately 5 minutes
Tools required: Burp Suite Application, Burp Suite Plugin
Burp Suite Application and Plugin Downloads
Download the latest build of Burp Suite application
Install and launch the Burp Suite application.
In ThreadFix, click the Help icon and select Download Tools.
Image AddedDownload the Burp Plugin from the Download Tools page in ThreadFix.
Install ThreadFix Plugin
Image Removed
Go to Extender tab > Add > chooseFrom the Extender tab, within the Extensions sub-tab click the Add button.
Image Added
From the Load Burp Extensions modal, in the Extension file (.jar) field, select the threadfix-release-2-burp.jar
Image Removed file downloaded from the ThreadFix Download Tools page.
A new ThreadFix Main tab will be presented with three buttons:
- ThreadFix > Main > Import
Import Endpoints From Source
- ThreadFix > Main >
Import Endpoints From ThreadFix
- ThreadFix > Main >
Export Scan
Import Endpoints
Please ensure that the following are set up correctly in ThreadFix before continuing.
A Team with an Application is setup
The Application is linked to its source code
- You've created an
An API key has been created and
itis accessible
- Choose
From the
ThreadfixThreadFix Main tab
, thenclick the desired 'Import Endpoints...' button.
Import Endpoints From Source
Image RemovedImage AddedImport Endpoints From ThreadFix.
From the ThreadFix
>Options tab, enter the ThreadFix URL & API Key, the ThreadFix application from which
you wantto get endpoints, and the Target URL.
You should addNote Add "/rest/latest" to the end of the ThreadFix URL in order for Burp to connect using the latest version of the API
If
running ThreadFix over HTTPS,
it may
be necessary to import the ThreadFix server's certificate into Burp's trust store (<burp-install>/jre/lib/security)
- Image Added
Then, from the ThreadFix
>Main tab, click Import Endpoints From ThreadFix.
Run Spider
Burp will import endpoints from the source code.
Begin the spider by choosing Spider from the Target tab.
Burp will then begin scanning and will show its progress.
Image RemovedImage AddedOnce the scan is complete
you will be able to export, this scan can be exported to ThreadFix.
Export Scan
Select the ThreadFix
>Main
> Export Scantab and click the Export Scan button.
Enter the correct URL and API key.
Choose the application for which
you want toto export a scan to
ThreadfixThreadFix.
Image RemovedImage AddedA
pop up should be displayed informing you that the export was successful
Image Removedmessage will display informing the export succeeded.
Image AddedCheck ThreadFix to verify that the scan was uploaded.
Image Removed
Import ThreadFix Server Certificate
Burp comes packaged with it's own JRE, which is used when you run running the exe program. If you need Users needing to import the ThreadFix server's cert certificate, in order to connect to it, should import it to <Burp Install>/jre/lib/security/cacerts.
Example command:
keytool -importcert -file /path/to/mythreadfix.cer -keystore /<burp path>/jre/lib/security/cacerts -alias tfcert
Note : Your the ThreadFix cert certificate should have a SubjectAlternativeName, or you there may have trouble establishing a connection. . It It should have at least have the server's DNS name, plus its IP as a backup.For info on how to obtain the ThreadFix server's certificate, click here.
Table of Contents |
---|